From fea77abcf68384e1aeed41b154f553371012bbc7 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Thu, 11 Jun 2020 09:32:17 +0200
Subject: [PATCH] LibGfx: Fail PNG decoding on invalid scanline filter

Only filter types 0 thru 4 are valid.
---
 Libraries/LibGfx/PNGLoader.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Libraries/LibGfx/PNGLoader.cpp b/Libraries/LibGfx/PNGLoader.cpp
index f88547446b..5ee237c3ba 100644
--- a/Libraries/LibGfx/PNGLoader.cpp
+++ b/Libraries/LibGfx/PNGLoader.cpp
@@ -600,6 +600,12 @@ static bool decode_png_bitmap(PNGLoadingContext& context)
             return false;
         }
 
+        if (filter > 4) {
+            dbg() << "Invalid PNG filter: " << filter;
+            context.state = PNGLoadingContext::State::Error;
+            return false;
+        }
+
         context.scanlines.append({ filter });
         auto& scanline_buffer = context.scanlines.last().data;
         auto row_size = ((context.width * context.channels * context.bit_depth) + 7) / 8;